[imp] improper session creation when accessed from bookmark or browser "back" button

Liam Hoekenga liamr at umich.edu
Thu Jan 6 19:01:32 PST 2005


This is a follow up to my thread from late November 2004.. 
http://marc.theaimsgroup.com/?l=imp&m=110131217520229&w=2

We're using IMP 4.x.

We've got IMP behind our SSO (CoSign), talking to a local IMAP server (proxyd)
that doesn't require a password (and only accepts local connections).  We're
using a modified version of the  "Auto" authentication mechanism, setting the
uid to $_SERVER[ 'REMOTE_USER' ] instead of horde_user (and populates the
password variable).  We're using transparent authentication.

It's working great, but we're having a problem when people who access IMP 4.0.x
from a bookmark, or from the browser's back button.

If users access IMP through the "front door", eg..

    https://webmail.example.com/horde/imp/

or

    https://webmail.example.com/horde/imp/index.php

the session gets created properly and everything works great.  The urls in the
browser look like..

https://webmail.example.com/horde/imp/redirect.php?Horde=241a01f8f30ee6864e0e57fac2868b02&actionID=login&autologin=1&server_key=umce
https://webmail.example.com/horde/imp/mailbox.php?mailbox=INBOX&actionID=login

or, the conversation in the transfer log...

xx.xx.xx.xx - liamr [06/Jan/2005:21:11:38 -0500] "GET
/horde/imp/redirect.php?Horde=241a01f8f30ee6864e0e57fac2868b02&actionID=login&autologin=1&server_key=umce
HTTP/1.1" 200 38
"https://weblogin.umich.edu/?cosign-test-mail=AeIyEGJdBEz4oMEWvcikq35AKmnIJBmXkNpxu-UpkTuYZUmEwHn3tdQN47rXCXPJZyjNKKiupGZLduhl0gMjuAkV9KqIJ5t36QKZxoObpAB6N2wwcVntaTrnDN6P;&https://test-mail.www.umich.edu/"
"Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.5) Gecko/20041107
Firefox/1.0"
xx.xx.xx.xx - liamr [06/Jan/2005:21:11:38 -0500] "GET /horde/imp/ HTTP/1.1" 200
38 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.5)
Gecko/20041107 Firefox/1.0"
xx.xx.xx.xx - liamr [06/Jan/2005:21:11:40 -0500] "GET
/horde/imp/mailbox.php?mailbox=INBOX&actionID=login HTTP/1.1" 200 8671 "-"
"Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.5)
Gecko/20041107 Firefox/1.0"

If people use a bookmark to access, IMP, however, they are presented with a
message index that is either empty, or contains the first message in the
mailbox (as determined by the current sort order).  The session doesn't seem to
get initiated properly, and indeed, the URLs in the brower and the conversation
in the transfer log is different..

https://webmail.example.com/horde/imp/mailbox.php?mailbox=INBOX&Horde=f4633a4eedcf26551bdbc703d086f9a8

xx.xx.xx.xx - - [06/Jan/2005:21:13:47 -0500] "GET
/horde/imp/mailbox.php?mailbox=INBOX HTTP/1.1" 302 434 "-" "Mozilla/5.0
(Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.5) Gecko/20041107
Firefox/1.0"
xx.xx.xx.xx - liamr [06/Jan/2005:21:13:55 -0500] "GET
/horde/imp/mailbox.php?mailbox=INBOX HTTP/1.1" 302 5
"https://weblogin.umich.edu/?cosign-test-mail=1bjIzuQdfCm2j4XjrDbqiyJHwj4ihz38rF00yW7cuHoBNlXGh8oNEPkS01qhgW81v86XA1+0aqJ7Doi0c9+N9dooxBjiyhOawhX3cFXcLE6gQarQ3jFp3DuEZDPj;&https://webmail.example.com/horde/imp/mailbox.php?mailbox=INBOX"
"Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.5) Gecko/20041107
Firefox/1.0"
xx.xx.xx.xx - liamr [06/Jan/2005:21:13:55 -0500] "GET
/horde/login.php?url=%2Fhorde%2Fimp%2Fmailbox.php%3Fmailbox%3DINBOX%26amp%3BHorde%3Df4633a4eedcf26551bdbc703d086f9a8&Horde=f4633a4eedcf26551bdbc703d086f9a8
HTTP/1.1" 302 38
"https://weblogin.umich.edu/?cosign-test-mail=1bjIzuQdfCm2j4XjrDbqiyJHwj4ihz38rF00yW7cuHoBNlXGh8oNEPkS01qhgW81v86XA1+0aqJ7Doi0c9+N9dooxBjiyhOawhX3cFXcLE6gQarQ3jFp3DuEZDPj;&https://webmail.example.com/horde/imp/mailbox.php?mailbox=INBOX"
"Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.5) Gecko/20041107
Firefox/1.0"
xx.xx.xx.xx - liamr [06/Jan/2005:21:13:56 -0500] "GET
/horde/imp/mailbox.php?mailbox=INBOX&Horde=f4633a4eedcf26551bdbc703d086f9a8
HTTP/1.1" 200 6424
"https://weblogin.umich.edu/?cosign-test-mail=1bjIzuQdfCm2j4XjrDbqiyJHwj4ihz38rF00yW7cuHoBNlXGh8oNEPkS01qhgW81v86XA1+0aqJ7Doi0c9+N9dooxBjiyhOawhX3cFXcLE6gQarQ3jFp3DuEZDPj;&https://webmail.example.com/horde/imp/mailbox.php?mailbox=INBOX"
"Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.5) Gecko/20041107
Firefox/1.0"

I know for a fact the users bookmark /horde/imp/mailbox.php, and having direct
access to that file improperly initiate the session is a huge problem.  I can
provide a test account to any of the Horde team that would like to investigate.
 It's easily reproducable in our environment, but would take some work to set up
a similar environment elsewhere.

We need to get this resolved before we're going to be able to push this out to
our campus.  Any help would be very much appreciated.

Liam


More information about the imp mailing list